-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Mark and Jürgen,
On 6/26/20 06:23, Mark Thomas wrote: > On 26/06/2020 08:21, Jürgen Weber wrote: >> Hi, >> >> when you run tomcat with jsvc and have jsvc drop privileges to a >> different user, stdout and stderr log files are still created >> with root as owner. Can you make jsvc create them as the -user ? > > I'm no C expert but my reading of > https://github.com/apache/commons-daemon/blob/master/src/native/unix/n ative/jsvc-unix.c#L1039 > > is no. To be fair, jsvc *could* (be made to) do this, but that is not what the current code looks like. Since the euig of the process when the files are created is root (or elevated in some way), the ownership and permissions of the file should be able to be set at that time before privileges are dropped. If these lines were to be added after 1071 (for stdout): if(chown(outfile, uid, gid)) { perror("chown"); exit(1); } Than the file could be owned by the unprivileged user/group. The uid and gid are not currently available in the set_output function. Hmm. If doreopen is true, then when trying to reopen the log files (after dropping privileges), I think we'll get ENOACCESS. I don't use jsvc so I haven't played around with it at all. I might be completely wrong :) - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl72U0oACgkQHPApP6U8 pFhyPg//TXOriocgBl0cQW9a7TV7lW9K4FF3D/IIhvxcaed4H/Ugb8UYtJ7uKfLh 6xqko+pSkirUlfTBErSJ/Rnc9Mk2m43gL0onPOKOP1tKFq5VZG+Bu5IcHRKbVBcA +pE2R7owUM3m8dnqeyvnqbAE2GH8AkxVj+A2ye1V+3R7b9iQd9C814rvucFN2p+s UaQdlSXMPs5xqTbNQO1tHp0Tz91zyarc/MfViqBuAHfYuYCBOZevSwvlaLJ5I30Q ef7htZM8eEUknGTbndQj/Rt/63xYcclKWT7cqBtRcMVqTiZfF90Q7ApBET7SuqjQ nupUW9TdtocE7dLOIX48MH1VcC3xtVOYQXrCfDezV2Sk/INxr6Mubb4W8jdejGNI Anc48N3FbJ58zzdYHonM976dfG2vFlolmITntb3k1YG6YrtL/pL9XEyXuFZuPaAm Os4sB+7nhTw0ckVL3ZASvLSFg4JQmMObOmXdxxLk3VlUS1ZJgmPxb6HEh8SEXxgd UeRw6C0ptkQfFBTqHLCT3ZFJnJGeBYlhLd6/K40o6OjDCJsce2W72xpNsiseO27L fE/KI80/Jy+rtZNcFqJjWeVxmGdSvJuCWDEqwzvHeirexK/GDyaNaG7tNeCL93Nj S6uG3ML1XKJjb0aNPWtR45DXkr1HU52qlPW4XqczdSNHWvRRy44= =iOl+ -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
